🚧 poc of rustscan script generator

2024-09-13 14:32:10 +07:00 · 2024-09-13 14:32:10 +07:00 · 7ef34db19b
parent e795a3bed9
commit 7ef34db19b
5 changed files with 67 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -172,6 +172,7 @@
            ++ [
              ./machines/${name}/configuration.nix
              nix-topology.nixosModules.default
+              self.nixosModules.scan
            ];
        };

@ -376,6 +377,7 @@
          clan-core.flakeModules.default
          ./nix/formatter.nix
          ./nix/packages
+          ./nix/scan
          ./nix/topology
        ];

--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@ -71,6 +71,10 @@
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "contact@ingolf-wagner.de";

+  verify.closed.wg0.domain = "10.100.0.1";
+  verify.closed.public.domain = "orbi.public";
+  verify.closed.public.ports = [ 4317 ];
+
  # chungus rsync
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD"
--- a/machines/orbi/media-arr.nix
+++ b/machines/orbi/media-arr.nix
@ -6,6 +6,12 @@
    8686
  ];

+  verify.closed.public.ports = [
+    7878
+    8989
+    8686
+  ];
+
  # download series
  services.sonarr = {
    enable = true;
--- a/nix/scan/default.nix
+++ b/nix/scan/default.nix
@ -0,0 +1,31 @@
+{ self, ... }:
+{
+  imports = [ ];
+
+  flake.nixosModules.scan = {
+    imports = [ ./module.nix ];
+  };
+
+  perSystem =
+    {
+      pkgs,
+      self',
+      lib,
+      ...
+    }:
+    with lib;
+    {
+      apps.scan = {
+        type = "app";
+        program =
+          let
+            ports = machine: self.nixosConfigurations.${machine}.options.verify.closed.value.public.ports;
+            domain = machine: self.nixosConfigurations.${machine}.options.verify.closed.value.public.domain;
+          in
+          pkgs.writers.writeBashBin "scan" ''
+            ${pkgs.rustscan}/bin/rustscan --ports ${concatStringsSep "," (map toString (ports "orbi"))} --addresses ${domain "orbi"} --greppable
+          '';
+      };
+    };
+
+}
--- a/nix/scan/module.nix
+++ b/nix/scan/module.nix
@ -0,0 +1,24 @@
+{ lib, ... }:
+with lib;
+with types;
+{
+  options.verify.closed = mkOption {
+    default = { };
+    type = attrsOf (submodule {
+      options = {
+        domain = mkOption {
+          type = str;
+          description = ''
+            domain to scan
+          '';
+        };
+        ports = mkOption {
+          type = listOf int;
+          description = ''
+            ports that should be closed
+          '';
+        };
+      };
+    });
+  };
+}